SLIDE 1
Lecture 1: Introduction to model checking
- B. Srivathsan
Chennai Mathematical Institute
Model Checking and Systems Verification January - April 2015
1/25
What are we interested in?
2/25
Lecture 1: Introduction to model checking B. Srivathsan Chennai - - PowerPoint PPT Presentation
Lecture 1: Introduction to model checking B. Srivathsan Chennai - - PowerPoint PPT Presentation
Lecture 1: Introduction to model checking B. Srivathsan Chennai Mathematical Institute Model Checking and Systems Verification January - April 2015 1 / 25 What are we interested in? 2 / 25 What are we interested in? Software Controllers Code
SLIDE 2
SLIDE 3
What are we interested in? Software Controllers
Code that controls the working of safety critical systems
2/25
SLIDE 4
Safety-critical systems
3/25
SLIDE 5
Controlled by software
◮ Aircrafts ◮ Medical devices ◮ Cars ◮ Nuclear power plants ◮ Space missions ◮ Railway signalling systems ◮ and many more ...
4/25
SLIDE 6
Controlled by software
◮ Aircrafts ◮ Medical devices ◮ Cars ◮ Nuclear power plants ◮ Space missions ◮ Railway signalling systems ◮ and many more ...
Correctness of these software is very important
4/25
SLIDE 7
Accidents due to software bugs
5/25
SLIDE 8
◮ Igor Walukiewicz’s slides (4 - 7) ◮ Yogananda Jeppu’s slides (22 - 38)
6/25
SLIDE 9
Errors that are hard to detect
7/25
SLIDE 10
Concurrent programs
while x < 200 x := x+1 while x>0 x := x-1 while x=200 x := 0
8/25
SLIDE 11
Concurrent programs
while x < 200 x := x+1 while x>0 x := x-1 while x=200 x := 0 Is the value of x always between 0 and 200?
8/25
SLIDE 12
Concurrent programs
while x < 200 x := x+1 while x>0 x := x-1 while x=200 x := 0 Is the value of x always between 0 and 200? No! (why?)
8/25
SLIDE 13
Goal: Make low-defect software controllers Traditional testing insufficient for safety-critical systems
9/25
SLIDE 14
Goal: Make low-defect software controllers Traditional testing insufficient for safety-critical systems → A new verification technology called Model-checking
Edmund Clarke Allen Emerson Joseph Sifakis
9/25
SLIDE 15
Model Checking
Think of controllers as finite state machines
10/25
SLIDE 16
Model Checking
Think of controllers as finite state machines
Philosophy: Computations as sequences of states - Igor’s slides (55 - 57)
10/25
SLIDE 17
while x < 200 x := x+1 while x>0 x := x-1 while x=200 x := 0
11/25
SLIDE 18
while x < 200 x := x+1 while x>0 x := x-1 while x=200 x := 0 Is the value of x always between 0 and 200?
11/25
SLIDE 19
while x < 200 x := x+1
l1 l2 x < 200 x := x+1
while x>0 x := x-1
m1 m2 x > 0 x:=x-1
while x=200 x := 0
n1 n2 x = 200 x:=0
Is the value of x always between 0 and 200?
11/25
SLIDE 20
l1,m1,n1 l2,m1,n1 l1,m2,n1 l1,m1,n2 l2,m2,n1 l2,m1,n2 l1,m2,n2 l2,m2,n2
x<200 x>0 x=200 x:=x+1 x:=x-1 x:=0 x>0 x:=x-1 x=200 x:=0 x<200 x:=x+1 x=200 x:=0 x<200 x:=x+1 x>0 x:=x-1 x=200 x:=0 x>0 x:=x-1 x<200 x:=x+1 12/25
SLIDE 21
l1,m1,n1 l2,m1,n1 l1,m2,n1 l1,m1,n2 l2,m2,n1 l2,m1,n2 l1,m2,n2 l2,m2,n2
x<200 x>0 x=200 x:=x+1 x:=x-1 x:=0 x>0 x:=x-1 x=200 x:=0 x<200 x:=x+1 x=200 x:=0 x<200 x:=x+1 x>0 x:=x-1 x=200 x:=0 x>0 x:=x-1 x<200 x:=x+1 12/25
SLIDE 22
l1,m1,n1 l2,m1,n1 l1,m2,n1 l1,m1,n2 l2,m2,n1 l2,m1,n2 l1,m2,n2 l2,m2,n2
x<200 x>0 x=200 x:=x+1 x:=x-1 x:=0 x>0 x:=x-1 x=200 x:=0 x<200 x:=x+1 x=200 x:=0 x<200 x:=x+1 x>0 x:=x-1 x=200 x:=0 x>0 x:=x-1 x<200 x:=x+1
Is the value of x always between 0 and 200? No
12/25
SLIDE 23
Instead of writing the code directly, the functionality is specified as a suitable mathematical model (extensions of finite state machines) This mathematical object can then be analyzed. The final code can be generated directly from the model.
13/25
SLIDE 24
Controller inputs
- utput action
Requirements Does satisfy
?
14/25
SLIDE 25
Controller inputs
- utput action
Requirements Does satisfy
?
Mathematical Model Formal notation
AG safe F p ∧ q
Does satisfy
?
14/25
SLIDE 26
Controller inputs
- utput action
Requirements Does satisfy
?
Mathematical Model Formal notation
AG safe F p ∧ q
Does satisfy
?
Model Checking
14/25
SLIDE 27
Model-checkers
Model Requirements Does satisfy
?
Format of the model-checker
15/25
SLIDE 28
Model-checkers
Model Requirements Does satisfy
?
Format of the model-checker Model-checkers automatically solve the above question
15/25
SLIDE 29
Model-checkers
Model Requirements Does satisfy
?
Format of the model-checker Model-checkers automatically solve the above question Some model-checkers: NuSMV, SPIN, TLA+, SCADE Suite
15/25
SLIDE 30
Success of Model-checking
16/25
SLIDE 31
Airbus
◮ Uses SCADE Suite (developed by Esterel Technologies) to develop
critical on board software for A340-500/600, A380 series aircrafts
◮ Significant decrease of coding errors due to extensive use of
automatic code generation. For Airbus A340, up to 70% of the code has been automatically generated
◮ Major productivity improvement, which is particularly significant
considering that the size of the software doubles with each new Airbus program
Source: Website of Esterel Technologies
17/25
SLIDE 32
Hardware verification
◮ Many companies, including industry leaders such as AT&T,
Cadence, Hewlett-Packard, IBM, Intel, LSI Logic, Motorola, Rockwell, Texas Instruments, and Silicon Graphics have created formal verification groups to help with ongoing designs.
◮ In many cases, these groups began by demonstrating the effectiveness
- f formal verification by finding subtle design errors that were
- verlooked by months of simulation.
Source: Acceptance of formal methods: Lessons from hardware design, by D. Dill and J. Rushby
18/25
SLIDE 33
Amazon
◮ Since 2011, engineers at Amazon Web Services (AWS) have used
formal specification and model checking to help solve difficult design problems in critical systems
Source: How Amazon Web Services Uses Formal Methods, by C. Newcombe et al.
19/25
SLIDE 34
Some other places where Model Checking technology is used
◮ Avionics:
Rockwell Collins, Honeywell
◮ Automobiles:
Toyota
◮ Space:
NASA, European Space Agency
◮ Others:
Microsoft Research, Tata
◮ Model-checking solutions:
Esterel technologies, BTC embedded systems, Mathworks, Prover technology
20/25
SLIDE 35
Some other places where Model Checking technology is used
◮ Avionics:
Rockwell Collins, Honeywell
◮ Automobiles:
Toyota
◮ Space:
NASA, European Space Agency
◮ Others:
Microsoft Research, Tata
◮ Model-checking solutions:
Esterel technologies, BTC embedded systems, Mathworks, Prover technology Backed by many university groups from all over the world!
20/25
SLIDE 36
Turing Award 2007
Clarke, Emerson and Sifakis for Model-checking
Some other Turing award winners:
◮ Edsger Dijkstra (1972) ◮ Donald Knuth (1974) ◮ Rabin and Scott (1976) ◮ Tony Hoare (1980) ◮ Ritchie and Thompson (1983) ◮ Hopcroft and Tarjan (1986) ◮ Rivest, Shamir, Adleman (2002)
21/25
SLIDE 37
Turing Award 1996
Amir Pnueli Pnueli received the Turing Award for seminal work introducing temporal logic into computing science and for outstanding contributions to program and systems verification
22/25
SLIDE 38
Turing Award 2013
Leslie Lamport He devised important algorithms and developed formal modeling and verification protocols that improve the quality of real distributed
- systems. These contributions have resulted in improved correctness,
performance, and reliability of computer systems.
23/25
SLIDE 39
What we have seen?
◮ Software control many safety-critical systems ◮ Accidents do occur due to software errors ◮ Model-checking is an additional verification method ◮ Model-checking has been successful
24/25
SLIDE 40
In this course
Introduction to techniques, tools and challenges in model-checking
◮ Part 1: (Srivathsan) Basic concepts, Automata-theoretic methods ◮ Part 2: (Srivas) Advanced concepts, Symbolic model-checking
Book: Principles of Model Checking, Christel Baier and Joost-Pieter Katoen, MIT Press (2008)
25/25